Snort: IDS Done Well (and Good)

The Joys of Success

July 2, 2007

By
Jeffrey Carr

A few years ago, when we spoke of network intrusion security
systems, we spoke of IDS (Intrusion Detection System) appliances.
Recently, as the emphasis has shifted from detection to prevention,
IDS has become IPS (Intrusion Prevention Systems).

The compelling force behind this change is the same one that has
thrust an open source software company named SourceFire to the
front of the Network Intrusion Prevention System Appliances market
sector; that is, a fast changing threat environment. In an article
for Military Information Technology, Deputy Undersecretary of
Defense Sue Payton writes that "if the boots-on-the-ground
community is urged to 'train as you fight,' the
technology community that supports warfighters must similarly be
urged to code as we fight," which is her way of saying that
rapidly changing threats requires the agility of rapidly modifiable
and accessible source code.

In other words, open source.

There are many reasons why open source software is finding a
home in this country's most security-conscious departments of
government. Payton is inspired by an oft-quoted truism in the open
source community known as Linus' Law: "Given enough
eyeballs, all bugs are shallow." This truism has been proven
to the satisfaction of decision makers at DARPA, GSA, NIST, NSA as
well as the Armed Forces, all of whom are implementing open source
solutions for their software needs--Snort among them.

The open source part of SourceFire is known as Snort. It started
out as a weekend project for a software engineer named Martin
Roesch in 1998. Martin was looking to develop a "light-weight
intrusion detection technology." In 2001, Roesch decided to
expand on what he had accomplished with Snort and added some
proprietary tools that would improve ease of operation for network
administrators. The new company was named SourceFire. While Snort
remained an open source, rules-based detection engine, SourceFire
added proprietary modules that dramatically improved Snort's
capabilities.

In 2006, Check Point Software Technologies, an Israeli
enterprise security company that owns Zone Alarm, tried to acquire
SourceFire for $225 million dollars. The deal never happened due to
red flags raised by FBI and Pentagon officials. Check Point
voluntarily withdrew its offer to purchase SourceFire. Seven months
later, SourceFire announced that it had filed papers with the SEC
to become a publicly traded company. This news has generated a lot
of excitement in the security software community for two reasons:
one, because it's the first security IPO to come along in a
very long time, and two--because it would validate the open
source model as a commercially viable one. The latest news on the
SourceFire IPO is that it will offer 5.77 million shares of stock
at an estimated $12-$14 per share.

Gartner's Magic Quadrant for Network Intrusion Prevention
System Appliances (2006) lists SourceFire as one of 5 leaders in
this market sector; 3com's TippingPoint, IBM, McAfee, and
Juniper Networks make up the other 4.

Gartner defines Intrusion Protection appliances as
"in-line devices that perform full-stream assembly of network
traffic, and they provide detection using several methods including
signatures, protocol anomaly detection, and behavioral or
heuristics." In other words, where simple attack signature
detection used to be the norm, an IPS system must be able to block
vulnerability-based signatures, recognize a variety of anomalies as
attacks, and let everything else through.